diff options
author | Emilian Peev <epeev@google.com> | 2017-11-06 10:41:19 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-11-28 03:33:29 +0000 |
commit | e770e378dc8e2320679272234285456ca2244a62 (patch) | |
tree | eba582dc8d09a29d1ad5b7163b243a6eeff26f2d | |
parent | 34893ec78fce2961bccaee6f81448c2fcfb7811d (diff) | |
download | media-e770e378dc8e2320679272234285456ca2244a62.tar.gz |
Camera metadata: Check source metadata size
Source size passed by client could be smaller than 'camera_metadata_t'.
In this case the cast in 'allocate_copy_camera_metadata_checked()' will
be incorrect and we will try to access invalid heap memory.
Bug: 67782345
Test: Camera CTS
Change-Id: I9582c704f414493978d09ffb603b5e8368cda5ce
(cherry picked from commit 489bbd13bf0add8029444b9d9505b3d118776ea3)
-rw-r--r-- | camera/src/camera_metadata.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/camera/src/camera_metadata.c b/camera/src/camera_metadata.c index dc800860..e99abc4f 100644 --- a/camera/src/camera_metadata.c +++ b/camera/src/camera_metadata.c @@ -228,6 +228,12 @@ camera_metadata_t *allocate_copy_camera_metadata_checked( return NULL; } + if (src_size < sizeof(camera_metadata_t)) { + ALOGE("%s: Source size too small!", __FUNCTION__); + android_errorWriteLog(0x534e4554, "67782345"); + return NULL; + } + void *buffer = malloc(src_size); memcpy(buffer, src, src_size); |